[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: daloradius (updated package)

Hey Neil,

On Dec 26, 2007 5:55 PM, Neil Williams <codehelp@debian.org> wrote:

i.e. the problem lies within the package itself because it is an
intrinsically difficult package to build properly and you would be best
advised finding something else when you are only just starting out as
maintainer. PHP is a nightmare for security problems and packaging
problems. What I say to you is what I would say to anyone reading the NM
guide for the first time - *don't start with PHP*! (Don't start with a
compiled library either, they are complex in entirely different ways.)
The NM guide does mention that libraries are not a wise choice for your
first package but as it happened, I didn't get the chance of my own
advice because when I started NM, I was already upstream for a library
in Debian that needed an update. ;-) So learn from my mistakes and don't
do things the hard way.

Uhm, it seems to me that the daloradius package is actually as easy
as it can be. It's just a bunch of .php and other related web application
scripts which should simply be copied to /usr/share.
There's no compilation, no updating of libraries and nothing that would
seem to be complicated... Maybe I'm missing something but as I see it,
the "package" should simply unpack the web application files into a directory
and that's it.

Please correct me if I'm wrong.

> Maybe it was my mistake to submit the new package (0.9.5) and also go
> all over again about creating a package while I already started
> working on it
> in previous versions (0.9.3 and 0.9.4) - so for that I am sorry, it
> seemed to
> have fired up an un-called for argument about the package building.

I'd take that as a hint that you ought to consider learning how things
work using a different package as your starting point.

I'm not going to advise you on daloradius for a couple of reasons:
1. I don't generally sponsor PHP anyway (I will but only if the
maintainer convinces me that s/he has a firm grasp of the issues
involved, which you have not done.)

Again, I'm either missing something or there's a misunderstanding
of what daloradius is. What kind of php security issues are there?

2. I don't think daloradius is the right package for you to maintain
right now and therefore cannot be the right package for me to sponsor.
Come back to it once you have learnt a lot more about Debian by
packaging at least one different package that is not written in PHP.

As far as PHP does, convenience (of programming) is very definitely the
enemy of security. (Yes, I do write PHP, I do know at least some of the
problems inherent in that language. No, I would not dare inflict my PHP
on Debian as a package, I stick to the few web servers to which I have
root access so that I can step in and rescue it when things go wrong.)

So the reason to reject a project is because of it's programming nature
that may be very much exploit-able and unsafe?

Leave daloradius behind - forget it completely. Move on to a different,
preferably compiled, package and restart with the NM guide. Don't even
revisit daloradius packaging until you have had at least one non-PHP
package successfully sponsored and bug free in Debian testing.

I can't leave it alone Neil, it's my baby :-)


Reply to: